Method and apparatus for remote portable wireless device authentication

ABSTRACT

A method and apparatus provides for user authentication. In an example, the method and apparatus includes establishing a very short range wireless communication link between the first apparatus and the second apparatus and authenticating a user of the first apparatus by the second apparatus directly using a different and short range peer to peer wireless communication link between the first apparatus and the second apparatus in response to establishing the very short range wireless communication link.

RELATED CO-PENDING APPLICATION

This application is a continuation of application Ser. No. 13/836,431,filed on Mar. 15, 2013, having inventors Clayton Douglas Smith et al.,titled “METHOD AND APPARATUS FOR REMOTE PORTABLE WIRELESS DEVICEAUTHENTICATION”, which is a continuation-in-part of application Ser. No.13/742,748, filed on Jan. 16, 2013, having inventors Clayton DouglasSmith et al., titled “METHOD AND APPARATUS FOR REMOTE PORTABLE WIRELESSDEVICE AUTHENTICATION”, which claims priority to Provisional ApplicationSer. No. 61/587,474, filed on Jan. 17, 2012, having inventors ClaytonDouglas Smith et al., titled “METHOD AND APPARATUS FOR REMOTE PORTABLEWIRELESS DEVICE AUTHENTICATION”, all of which are incorporated herein byreference.

BACKGROUND OF THE DISCLOSURE

The disclosure relates generally to a method and apparatus for using asmart phone to authenticate the user to a smart card reader emulationdevice.

As computers and other electronic devices store an increasingly largeand sensitive amount of information, the computers and other electronicdevices must be secured against unauthorized users. An effective way ofsecuring computers and other electronic devices is to encrypt orotherwise disallow access to a computer until a user provides hardwareand/or software that includes unique identifying information about theuser. In one embodiment, smart cards may be used to store and transmitunique information about a user to a computer, so that the user mayrequest and gain access to the computer. The smart card includessoftware and/or hardware, and also stores information that uniquelyidentifies a user. The uniquely identifying information may include, forexample, representative biometric information about the user, a uniqueencryption certificate generated for the user, or other uniquelyidentifying information. The user may request access to a computer, andbe granted access if the user is authenticated. Smart cards, generally,are physical devices that include memory, and may include otherprocessing components, such as a processor and/or battery. The smartcards generally must be carried by the user, and inserted directly intoa computer or device associated with the computer. If a user wishes togain access to many computers, the user may need more than one smartcard. The weight and bulk of one or more smart cards may deter usersand/or administrators from implementing smart card security. It iscommon for users to carry smart phones, and smart phones include memoryand/or processing capability that may enable them to operate as a smartcard. Replacing one or more smart cards with a single smart phone mayreduce overall bulk, and may make it more likely for users to implementsmart card security.

Known smart card emulation systems can include a component located on asmart phone to remotely lock and unlock a computer via a Bluetoothconnection. However such systems do not appear to allow a user to selecta signal strength of the Bluetooth connection to change the range thatthe smart phone may lock or unlock the computer.

Also, it is known to allow a user to automatically lock and unlock acomputer using a Bluetooth device such as a mobile phone. The user canconfigure the proximity distance and duration, and when the Bluetoothdevice moves away from the computer, the screensaver is triggered andthe computer is locked. When the Bluetooth device is in range, theprogram unlocks the computer, without requiring user input. However,such systems do not require authentication of the Bluetooth device, ortransmission of data between the Bluetooth device and the computer forauthentication of the Bluetooth device to the computer.

Near field communication techniques are also known between wirelessdevices that use very short range wireless links. Setting up the nearfield communication links can involve exchanging key pairs used toestablish a Bluetooth connection or a short range connection. As such,two different wireless protocols are used using two different types ofshort range links. The information that is transferred in the near fieldcommunication may include, for example, key pairs and device IDs thatare then used by two devices to establish a short range communicationlink wherein the short range communication link is encrypted. Typically,the systems authenticate each device to each other to provide a type ofmutual authentication of devices. However, the user may have to selectfrom many machines in a room if they want to authenticate two machinesin a wireless range. Also, user authentication is not typically providedwith such systems.

Also in systems that fail to employ very short range communicationlinks, such as pure Bluetooth links or other short range links, userauthentication can be provided to automatically unlock a device when theBluetooth device is activated. However, when multiple devices are withinrange, a user needs to typically manually select which device to unlock.Accordingly, it is desirable to have an improved user authenticationtechnique.

Accordingly, there exists a need for an improved method and apparatusfor using a portable wireless device to authenticate a user.

BRIEF DESCRIPTION OF THE DRAWINGS

The embodiments will be more readily understood in view of the followingdescription when accompanied by the below figures and wherein likereference numerals represent like elements, wherein:

FIG. 1 is a block diagram illustrating an example of a system for remotesmart phone authentication according to an embodiment of the presentdisclosure;

FIG. 2 is a block diagram illustrating smart card reader emulationdevice and smart phone radio transceivers according to an embodiment ofthe present disclosure;

FIG. 3 is a flowchart illustrating remote authentication from a smartcard reader emulation device according to an embodiment of the presentdisclosure;

FIG. 4 is a flowchart illustrating remote authentication according to asmart phone according to an embodiment of the present disclosure;

FIG. 5 is a flowchart illustrating a method of proximity authenticationaccording to an embodiment of the present disclosure;

FIG. 6 is an exemplary graphical user interface showing a selectablesignal strength according to an embodiment of the present disclosure;

FIG. 7 is a diagram graphically illustrating communications between afirst device and a second device in accordance with one example setforth in the disclosure;

FIG. 8 is a flowchart illustrating one method for providing userauthentication in accordance with one example set forth in thedisclosure; and

FIG. 9 is a flowchart illustrating one method for providing userauthentication in accordance with one example set forth in thedisclosure.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

Briefly, in one example, a method for user authentication is provided.In an example, the method and apparatus includes establishing a veryshort range wireless communication link between the first apparatus andthe second apparatus and authenticating a user of the first apparatus bythe second apparatus directly using a different and short range peer topeer wireless communication link between the first apparatus and thesecond apparatus in response to establishing the very short rangewireless communication link.

In some embodiments the method includes receiving a selected signalstrength for smart card emulation authentication. The method alsoincludes receiving a signal from a portable wireless device radiotransceiver. The method also includes measuring the signal strength ofthe signal. The method also includes, if the signal is at or above theselected signal strength, transmitting one or more signals to theportable radio device radio transceiver requesting user authentication,and if the signal is not at or above a selected signal strength,refusing a request to authenticate by the portable radio device radiotransceiver. The method also includes receiving one or moreauthentication response signals from the portable radio device inresponse to the request for user authentication, the one or moreresponse signals including at least authentication information unique toa user.

In another example, a method for user de-authentication is provided. Themethod includes receiving a selected signal strength for smart cardemulation authentication. The method also includes receiving one or moreresponse signals from the portable wireless device in response to arequest for user authentication, the smart card reader emulation deviceradio transceiver receiving a signal. The method also includesmonitoring the strength of the signal, so that if the signal is at orbelow the selected signal strength, the smart card reader emulationdevice de-authenticates a portable wireless device associated with theportable wireless device radio transceiver.

In another example, an apparatus for user authentication is provided,including logic. The logic is operable to receive a selected signalstrength for smart card emulation authentication. The logic is alsooperable to receive a signal from a portable wireless device radiotransceiver. The logic is also operable to measure the signal strengthof the signal. The logic is also operable to, if the signal is at orabove the selected signal strength, transmit one or more signals to theportable radio device radio transceiver requesting user authentication,and if the signal is not at or above a selected signal strength, refusea request to authenticate by the portable radio device radiotransceiver. The logic is also operable to receive one or moreauthentication response signals from the portable radio device inresponse to the request for user authentication, the one or moreresponse signals including at least authentication information unique toa user.

In another example, computer-readable storage medium comprisingexecutable instructions are provided that, when executed by one or moreprocessors, causes the one or more processors to: receive a selectedsignal strength for smart card emulation authentication, receive asignal from a portable wireless device radio transceiver, measure thesignal strength of the signal, if the signal is at or above the selectedsignal strength, transmit one or more signals to the portable radiodevice radio transceiver requesting user authentication, and if thesignal is not at or above a selected signal strength, refuse a requestto authenticate by the portable radio device radio transceiver, andreceive one or more authentication response signals from the portableradio device in response to the request for user authentication, the oneor more response signals including at least authentication informationunique to a user.

Among other advantages, the present disclosure may allow the use ofportable wireless devices or other devices a user carries with one ormore processors and memory in place of one or more smart cards.Accordingly, the proposed techniques can improve user control of devicesby providing a more intuitive and user-friendly way to use a smart cardinfrastructure and/or other multi-factor authentication effectively.Additionally, the smart phone's keyboard, touch screen, and othersensors can be used as inputs to the smart card applet. Informationabout which resources are being authenticated to can be presented to theuser on the smart phone's screen, so that the user is aware of whatresources are being accessed while the smart phone is connected to thecomputer. The user could also be given a choice about whether or not toaccept such accesses. Also, information stored in the smart card appletcan be displayed to the user on the smart phone's screen.

FIG. 1 illustrates an example of a system for remote portable wirelessdevice 101 authentication according to an embodiment of the presentdisclosure. In this example, a radio smart card reader driver 119 on asmart card reader emulation device 117 sends communications to anapplication 123 and/or operating system 125, indicating that a smartcard reader is installed although an actual smart card reader is notinstalled (instead the smart card emulation device is present), andintercepts communications between the application software 123 or theoperating system 125 and the fictional smart card reader. The radiosmart card reader driver 119 transmits the communication orcommunications to the portable wireless device 101 via a smart cardreader emulation device radio transceiver 121. The portable wirelessdevice application 109 operates on the portable wireless device 101 andincludes encryption certificates or other authentication information,and transmits the authentication information or other signals to theradio smart card reader driver 119 based on the communication receivedfrom the application software 123 and/or the operating system 125. Byintercepting the communication between the application software 123and/or the operating system 125, the radio smart card reader driver 119can replace a smart card with a portable wireless device application 109running on a portable wireless device 101, so that a smart card readeris not necessary to utilize functions associated with the application123 and/or the operating system 125 that are reserved for smart cards.

The portable wireless device 101 may be a computing system or otherhardware that includes logic, such as logic that includes, but is notlimited to, one or more processors 105, suitable memory, suitablecommunication interfaces as known in the art, and one or more input andoutput devices, such as a display 139, as known in the art. In anembodiment, the portable wireless device 101 includes a portablewireless device radio transceiver 103, and the portable wireless deviceradio transceiver 103 may enable communication between the portablewireless device 101 and one or more smart card reader emulation devices117, or a portable wireless device 101 and one or more networks. In anembodiment, the portable wireless device radio transceiver 103 operatesover a short range. In an embodiment, the short range is approximatelythirty meters or less. In an embodiment, the portable wireless device101 also includes a radio that allows for long range communication, inthe embodiment, more than thirty meters. The portable wireless device101 may include a telephone portion, including telephone communicationcircuitry. In an embodiment, the portable wireless device 101 includesadditional circuitry or other hardware to provide access to one or morenetworks, such as, for example, the Internet. In an embodiment, theportable wireless device 101 includes one or more processors 105 thatare operable to execute instructions, retrieve locations in the memory107, and write locations to the memory 107. The processor 105 may accessthe memory 107 via one or more busses 143. In an embodiment, the memory107 includes, but is not limited to, hard disk drives, flash memory,random-access memory, or other data storage and recall devices. Theportable wireless device 101 may also be associated with additionalelements, such as an operating system, a speaker, a microphone, anantenna, a display 147, and an input device. The input device may be,for example and without limitation, a keyboard and/or touch screen. Theportable wireless device 101 may include more than one input device, ormay be capable of input from one or more input devices.

The portable wireless device radio transceiver 103, in this example is ashort range transceiver operative to communicate using Bluetooth (peerto peer) operations or any suitable operation and may be hardware or acombination of hardware and executing software. The portable wirelessdevice radio transceiver 103 may, in an embodiment, also be adapted tocommunicate with one or more cellular telephone networks (WWAN), totransmit data and/or voice signals. As explained in more detail below,the portable wireless device radio transceiver 103 may include one ormore modules to communicate over one or more frequencies, or with one ormore communication protocols. The portable wireless device radiotransceiver 103 receives signals from the smart card reader emulationdevice radio transceiver 121, and may include communication protocolsand/or frequencies that allow the portable wireless device radiotransceiver 103 to communicate with the smart card reader emulationdevice radio transceiver 121. The portable wireless device radiotransceiver 103 receives one or more signals from the smart card readeremulation device radio transceiver 121, decodes and/or decrypts thesignal to retrieve communications, and transmits the communications tothe portable wireless device application 109 or other applicationsoperating on the portable wireless device 101. The portable wirelessdevice radio transceiver 103 also receives communications from theportable wireless device application 109 and/or other applicationsoperating on the portable wireless device 101, and, in the embodiment,transmits them to smart card reader emulation device radio transceiver121. In an embodiment, the portable wireless device radio transceiver103 employs encryption and/or compression algorithms to thecommunications before transmitting the communications to the smart cardreader emulation device radio transceiver 121.

The portable wireless device application 109 includes one or moreinstructions stored in memory, and is executable by the processor on theportable wireless device 101. The portable wireless device application109, in an embodiment, remains resident in the memory while the portablewireless device 101 is operating. The portable wireless deviceapplication 109 may include one or more modules operable to receiveinput, generate output, and execute tasks related to the input. Themodule, in the example, is a processor or a portion of a processorexecuting instructions to cause the processor to perform one or morefunctions. The portable wireless device application 109 includes atleast a smart card applet 113, a smart card emulator 111, and datastorage. The portable wireless device application 109 may also includeother modules that allow communication between the portable wirelessdevice application 109 and other applications resident in the memory ofthe portable wireless device 101. In an embodiment, the portablewireless device application 109 data store 115 is associated with theoperating system of the portable wireless device 101, so that theportable wireless device application 109 accesses the data store 115that is associated with the portable wireless device 101, instead ofhaving a separate data store 115. The portable wireless deviceapplication 109 may access a data store 115 associated with the portablewireless device 101 by using one or more instructions provided by theoperating system operating on the portable wireless device 101. Inputsto the portable wireless device application 109 may be received from thesmart card reader emulation device 117, or inputs to the portablewireless device application 109 may be generated by the portablewireless device 101. Additional inputs associated with the smart cardreader emulation device 117 or the portable wireless device 101 may alsobe used such as, for example and without limitation, biometric inputdevices such as fingerprint readers or cameras.

The smart card emulator 111 is associated with the portable wirelessdevice application 109, and interacts with the radio transceiver 103, orother applications executing in the memory of the portable wirelessdevice 101. The smart card emulator 111 receives input from the radiotransceiver or other applications executing in the memory of theportable wireless device 101, and requests information of the data store115 and/or the smart card applet 113 in response to the input. And inputmay be, for example, a request for one or more certificates stored inthe data store 115, a PIN authentication, a request for a digitalsignature, a request for a decryption operation, or other activitiesassociated with a smart card. The information retrieved from the smartcard applet 113 and/or the data store 115 is transmitted to the radiotransceiver 103, or the requesting application resident in the memory ofthe portable wireless device 101. The smart card emulator 111 provides alibrary of functions that are normally available from a smart card, sothat the smart card emulator 111 can receive communication normallytransmitted to a smart card, and can generate responses that wouldnormally be transmitted by the smart card. In the embodiment, the smartcard emulator communicates with the smart card applet 113 via line 151,and with the data store via line 115. The smart card emulator 111 mayoptionally also communicate with a selectable signal strength generator155 via line 153.

The smart card applet 113 includes software executing in memoryassociated with the portable wireless device 101, and executes requestsfor authentication. The smart card applet 113 may, in an embodiment,create public/private key pairs, and store the public key and/or privatekey in memory. In an embodiment, the smart card applet 113 includespublic key/private key pairs, and provides for the secure storage of thekeys. In an embodiment, the smart card applet 113 may include keyhistory. In an embodiment, the smart card applet 113 may includecertificates for each key pair, and may store the certificates. In anembodiment, the smart card applet 113 may include and/or store digitallysigned facial recognition data points associated with a user. Inembodiment, the smart card applet 113 may include and/or store digitallysigned fingerprint data points associated with a user. In an embodiment,the smart card applet 113 may include additional data structures tostore and/or retrieve authentication information related to user. In anembodiment, the authentication information related to the user may bedigitally signed and or verified. Other information stored or accessedby the smart card applet 113 include personal identification numbers(PINs) or passwords, along with associated lockout counters which limitthe number of invalid guesses an attacker may make.

The data store 115 may include the state of the smart card applet 113.State information may also include, but is not limited to keys,certificates, fingerprints, PINs and lockout counters, or otherinformation. The state information associated with the data store 115may be, in an embodiment, a snapshot of the data stored in it at a givenmoment in time. In an embodiment, the data store 115 may include imagesor keys or data structures that are associated with the smart cardapplet 113, and that the smart card applet 113 may use to authenticate auser to a smart card reader emulation device 117. The data store 115may, in an embodiment, be one or more data structures stored in thememory associated with the portable wireless device 101, and availableto the portable wireless device application 109. In an embodiment, thecontents of the data store 115 may be modified by the portable wirelessdevice application 109. In an embodiment, the data store 115 may beencrypted, and the encryption keys may be held by the portable wirelessdevice application 109 and/or another application executing in thememory of the portable wireless device 101.

The selectable signal strength generator 155 may include optionalfunctionality, and may allow a selection of the signal strength to bemade from the portable wireless device 101. In an embodiment, theselectable signal strength generator 155 includes one or more graphicaluser interfaces to allow a user or administrator to select one or moresignal strengths. For example, the selectable signal strength generator155 may allow a user to select a signal strength based on the user'sproximity to a smart card reader emulation device 117, so that the usermay be positioned relative to the smart card reader emulation device 117where the user would like an action to occur, and may use the selectablesignal strength generator 155 to set the signal strength based on theuser's proximity to the radio transceiver 121 of the smart card readeremulation device 117. The selectable signal strength generator 155communicates the selection of signal strength to the smart card emulator111 via line 153, and may receive communication from the smart cardemulator 111 via line 153. In an embodiment, the graphical userinterface may include the functionality shown in FIG. 6.

In FIG. 6, a graphical user interface 601 is shown. The graphical userinterface 601 includes, but is not limited to, a display 603 that showsthe current signal strength. In the embodiment, the current signalstrength is shown as 15 dB. The user may select a slider 609, to movethe selected signal strength between a minimum 605, which, in theembodiment, may turn off the connection, and a maximum 607, which mayindicate the maximum range of the radio connection link 141. The usermay select the appropriate signal strength, and may save the selectionusing the “set signal strength” button 611. The graphical user interfaceis generated and presented by the processor 105 on the screen for use bya user. In an embodiment, the selectable signal strength based smartcard emulation authenticator 133 operate a graphical user interfacesimilar to graphical user interface 601. The selectable signal strengthbased smart card emulation authenticator 133 may operate the graphicaluser interface 601, where the graphical user interface 601 is residentin the memory 135, and is executed by the processor 157. In anembodiment, the graphical user interface 601 may include additionalfunctionality, such as the ability for a user to select the signalstrength based on the current signal strength.

The smart card reader emulation device 117 may be, for example andwithout limitation, a an executing software module executing by logic,such as logic that includes one or more processors 157 and suitablememory 135, discrete logic, an ASIC or any suitable structure. The smartcard reader emulation device 117 may include a radio transceiver 121(e.g. a short range transceiver), which complements the portablewireless device radio transceiver 103, so that the smart card readeremulation device radio transceiver 121 may communicate with the portablewireless device radio transceiver 103. The smart card reader emulationdevice 117 also includes a radio smart card reader driver 119,application software 123, and one or more operating systems. The radiosmart card reader driver 119, application software 123, and one or moreoperating systems may reside in memory associated with the smart cardreader emulation device 117. The memory 135 may, in an embodiment, benonvolatile. In an embodiment, the radio smart card reader driver 119,application software 123, and one or more operating systems areassociated with logic operating on the smart card reader emulationdevice 117. In an embodiment, the logic includes one or more processors105, operable to execute instructions residing in memory 135. In anembodiment, the memory 135 includes, but is not limited to, hard diskdrives, flash memory, random-access memory, or other data storage andrecall devices. The processor 157 communicates with the memory 135 viaone or more busses 137. The smart card reader emulation device 117 mayalso be associated with additional elements, such as, for example, adisplay 147, and an input device. The input device may be, for exampleand without limitation, a keyboard and/or touch screen. The smart cardreader emulation device 117 may include more than one input device, ormay be capable of input from one or more input devices.

The application software 123 may include one or more applicationsexecuted by the operating system. The application software 123 includes,in an embodiment, software that requires the authentication of a user.For example, application software 123 may require user authentication todigitally sign a document, access information stored on the memoryassociated with the smart card reader emulation device 117, or anothersmart card reader emulation device 117 associated with the smart cardreader emulation device 117 via one or more networks, or add, edit, ordelete data. In an embodiment, the application software 123 requestsuser authentication through one or more commands provided by theoperating system. In another embodiment, the application software 123requests user authentication directly from the portable wireless device101 via the radio smart card reader driver 119. The application softwaresends commands, in an embodiment, to the operating system 125 and/orother applications in the memory 135, which are received by the radiosmart card reader driver 119. The application software 123 may alsoreceive signals from the radio smart card reader driver 119. Thecommunication between the application software 123 and the radio smartcard reader driver 119 is shown in line 127.

The operating system 125 includes the operating system currentlyexecuting in the memory of the smart card reader emulation device 117.The operating system 125 may include one or more drivers to receiveinput from input devices associated with the smart card reader emulationdevice 117, and generate output to output devices associated with thesmart card reader emulation device 117. Input devices may include, butare not limited to, keyboards, smart card reader emulation device 117mice, or one or more network interface cards, that receive input signalsfrom one or more networks, and generate output signals to the one ormore networks. Output devices may include, but are not limited to,displays 139, one or more network interface cards, printers, or otherdevices associated and in communication with the smart card readeremulation device 117. The operating system 125 may include one or morecommands to allow application software 123 to receive input from devicesassociated with the smart card reader emulation device 117, and generateoutput to the devices associated with the smart card reader emulationdevice 117. In an embodiment, the commands include one or more commandsdesignated as application programming interface commands. Applicationprogramming interface commands may be commands that allow applicationsto communicate with the operating system. The operation system 125transmits signals to the radio smart card reader driver 119, andreceives signals from the radio smart card reader driver 119, asindicated in line 129.

In an embodiment, the operating system 125 includes one or more commandsfor a user to authenticate to the operating system 125, in order to gainaccess to commands provided by the operating system 125. Commands mayallow a user to, for example, interact with the operating system,interact with one or more applications associated with the operatingsystem, or access data or execute programs through the operating system.The operating system 125 may include, for example, commands to interactwith a smart card reader, and query a smart card for data thatauthorizes the user to the smart card reader emulation device 117. In anembodiment, the operating system requires authentication to allow userto log on to the operating system.

The selectable signal strength based smart card emulation authenticator133 allows a selection of the signal strength to be made. In anembodiment, the selectable signal strength based smart card emulationauthenticator 133 includes one or more graphical user interfaces toallow a user or administrator to select one or more signal strengths.For example, the graphical user interface may allow a user to selectsignal strengths based on an individual portable wireless device 101, sothat different portable wireless devices 101 have different signalstrength requirements. In another embodiment, the signal strengths maybe selected based on one or more security models or other securityparameters. In an embodiment, signal strength selections are made viaone or more application programming interfaces to the selectable signalstrength based smart card emulation authenticator 133. The selectablesignal strength based smart card emulation authenticator 133communicates the selection of signal strength to the radio smart cardreader driver 119, and receives information from the radio smart cardreader driver 119, as shown in line 131.

The radio smart card reader driver 119 includes executing softwareand/or hardware associated with the smart card reader emulation device117 to replace a smart card reader. The radio smart card reader driver119 includes software and/or instructions operating on the smart cardreader emulation device 117 that intercept authentication requestsbetween the application software 123 and/or the operating system 125,and a smart card reader. For example, the application software 123 mayattempt to send an authentication request to a smart card reader. Theradio smart card reader driver 119 intercepts the authenticationrequest, so that the smart card reader emulation device 117 does notneed to operate a smart card reader. The radio smart card reader driver119 receives authentication requests from the application software 123and or the operating system 125, and translates the authenticationrequest into a format that is readable and answerable by the portablewireless device application 109 executing on the portable wirelessdevice 101. The radio smart card reader driver 119 communicates with thesmart card reader emulation device radio transceiver 121 to sendcommands via the radio transceiver to the portable wireless device 101.The radio smart card reader driver 119 also receives communication fromthe smart card reader emulation device radio transceiver 121, andtranslates the communication into responses to the authenticationrequests from the application software 123 and/or the operating system125. The authentication requests may include, for example, a request forauthentication for digital signing, or requests for authentication of auser. The radio smart card reader driver 119 functions as a replacementfor a smart card reader on the smart card reader emulation device 117,and appears as a smart card reader to the application software 123and/or the operating system 125.

The link 141 between the smart card reader emulation device radiotransceiver 121 and the portable wireless device radio transceiver 103includes, but is not limited to, signals transmitted from the smart cardreader emulation device radio transceiver 121 to the portable wirelessdevice radio transceiver 103, or from the portable wireless device radiotransceiver 103 to the smart card reader emulation device radiotransceiver 121. The signals may include signals required by a protocolover which both transceivers operate, to maintain a link between the twotransceivers, which may also include one or more control signals. Thesignals may also include signals to transmit data between the twotransceivers, which may also be known as data signals. Either of thecontrol signals and the data signals may include additional information.For example, and without limitation, signals transmitted by the portablewireless device radio transceiver 103 to the smart card reader emulationdevice radio transceiver 121 may be received by the smart card readeremulation device radio transceiver 121, which may also receive signalstrength information, or other information regarding the strength and/orquality of the link 141 between the two transceivers. In an embodiment,the data signals include authentication request signals and/orauthentication response signals so that the portable wireless deviceradio transceiver 103 to the smart card reader emulation device radiotransceiver 121 may authenticate to one another.

The smart card reader emulation device radio transceiver 121 may includeone or more modules to communicate over one or more frequencies, or withone or more communication protocols, such as Bluetooth transceiver. Thesmart card reader emulation device radio transceiver 121 receivessignals from the portable wireless device radio transceiver 103, and mayinclude communication protocols and/or frequencies that allow the smartcard reader emulation device radio transceiver 121 to communicate withthe portable wireless device radio transceiver 103. The smart cardreader emulation device radio transceiver 121 receives one or moresignals from the portable wireless device radio transceiver 103, decodesand/or decrypts the signal to retrieve communications, and transmits thecommunications to the radio smart card reader driver 119. The smart cardreader emulation device radio transceiver 121 also receivescommunications from the radio smart card reader driver 119, and, in theembodiment, transmits them to the portable wireless device radiotransceiver 103. In an embodiment, the smart card reader emulationdevice radio transceiver 121 employs encryption and/or compressionalgorithms to the communications before transmitting them to theportable wireless device radio transceiver 103.

In an embodiment, the smart card reader emulation device radiotransceiver 121 may also receive information associated with theportable wireless device radio transceiver 103. The information mayinclude, but is not limited to, strength of the radio signal from theportable wireless device 101. The strength of the radio signal from theportable wireless device 101 may indicate the approximate location ofthe portable wireless device 101 relative to the smart card readeremulation device radio transceiver 121. For example, a weak radio signalfrom the portable wireless device radio transceiver 103 may indicatethat the portable wireless device 101 is at a comparatively largerdistance from the smart card reader emulation device radio transceiver121 than if the radio signal was stronger.

In an embodiment, the application software 123, the operating system125, the radio smart card reader driver 119, the smart card applet 113,the smart card emulator 111, and the data store 115 described herein maybe implemented as software programs stored on a smart card readeremulation device 117 readable storage medium such as but not limited toCD-ROM, RAM, ROM, other forms of ROM, hard drives, distributed memory,etc., in combination with processors. As such, software programs may bestored on smart card reader emulation device 117 readable storagemedium. The smart card reader emulation device 117 readable storagemedium stores instructions executable by one or more processors thatcauses the one or more processors to perform operations describedherein. In the embodiment shown in FIG. 1, the application software 123,the operating system 125, and the radio smart card reader driver 119 arestored in smart card reader emulation device 117 readable storage mediumand are associated with each other, and the smart card applet 113, thesmart card emulator 111, and the data store 115 are stored in smart cardreader emulation device 117 readable medium and are associated with eachother.

FIG. 2 is a block diagram illustrating smart card reader emulationdevice and portable wireless device radio transceivers according to anembodiment of the present disclosure. In the embodiment, the smart cardreader emulation device radio transceiver 121 includes first radiotransceiver 203 and a second radio transceiver 205. The first radiotransceiver 203 includes transmission and receiving structures thatallow the smart card reader emulation device radio transceiver 121 tocommunicate with the portable wireless device 101 via a first protocoland/or a first frequency. The second radio transceiver 205 includestransmission and receiving structures that allow the smart card readeremulation device radio transceiver 121 to communicate with the portablewireless device 101 via a second protocol and/or a second frequency.Similarly, the portable wireless device radio transceiver 103 includes afirst radio transceiver 207 and a second radio transceiver 209 thatcomplement the first radio transceiver 203 and the second radiotransceiver 205 in the smart card reader emulation device radiotransceiver 121, respectively. The smart card reader emulation deviceradio transceiver 121 and the portable wireless device radio transceiver103 may include, for example, additional hardware or combination ofhardware and executing software that allows communication between thetwo radio transceivers over different frequencies and/or differentcommunication protocols. In an embodiment, the first radio transceiverand the second radio transceiver of either the smart card readeremulation device 117 or the portable wireless device 101, or both, areimplemented using software executing on one or more processors, andshare common hardware structures. For example, the first radiotransceiver and the second radio transceiver may share a common antenna,or a common receiver, but the frequencies associated with the firstradio transceiver and the second radio transceiver may be different, andmay be interpreted differently using the software. For example,communications received by a first frequency may be interpreted using afirst protocol, and communications received by a second frequency may beinterpreted using a second protocol. In an embodiment, the first andsecond radio transceivers are separate structures. In the embodiment,the first and second radio transceivers may not share components, maycommunicate directly with processors or memory, and may operateindependently of one another.

FIG. 3 is a flowchart illustrating remote authentication from a smartcard reader emulation device 117 according to an embodiment of thepresent disclosure. The method begins at block 301. At block 303, thesmart card reader emulation device radio transceiver 121 is set to adiscoverable mode. The discoverable mode, in an embodiment, allows thesmart card reader emulation device radio transceiver 121 to search fordevices that it may connect to and communicate with. In an embodiment,the radio smart card reader driver 119 sets the smart card readeremulation device radio transceiver 121 into a discoverable mode. In anembodiment, the operating system 125 or other executable program setsthe smart card reader emulation device radio transceiver 121 into adiscoverable mode.

In block 305, the smart card reader emulation device 117 polls all ofthe devices that the smart card reader emulation device radiotransceiver 121 may communicate with. If a portable wireless device 101or other device with a comparable radio transceiver is found, the smartcard reader emulation device radio transceiver 121 attempts to determineif the smart card reader emulation device radio transceiver 121 mayconnect with the radio transceiver associated with the device. If thesmart card reader emulation device radio transceiver 121 may not connectwith the radio transceiver associated with the device, the smart cardreader emulation device 117 attempts to connect with other devices inthe vicinity, as shown in block 307. If the smart card reader emulationdevice radio transceiver 121 may connect to the radio transceiverassociated with the device, the smart card reader emulation device radiotransceiver 121 checks to see if the device will accept the connection.If the device will not accept the connection, the smart card readeremulation device 117 will move to the next device, as shown in block307. If the device will accept the connection, the smart card readeremulation device 117 will attempt to create a successful connection withthe device, as shown in block 309. In an embodiment, the portablewireless device 101 initiates a connection to the smart card readeremulation device 117. The portable wireless device may initiate theconnection by transmitting one or more signals to the smart card readeremulation device 117.

In block 311, the smart card reader emulation device radio transceiver121 may send one or more signals to the portable wireless device radiotransceiver 103. The portable wireless device application 109 operatingon the portable wireless device 101 may receive the one or more signals,and may generate one or more signals for transmission from the portablewireless device radio transceiver 103 to the smart card reader emulationdevice radio transceiver 121. The smart card reader emulation deviceradio transceiver 121 receives the one or more signals, and transmitsthem to the radio smart card reader driver 119. Based on the signalsreceived from the portable wireless device application 109, the radiosmart card reader driver 119 recognizes that the portable wirelessdevice application 109 is operating on the portable wireless device 101.The radio smart card reader driver 119 may, in an embodiment, send oneor more signals to the operating system 125 that a smart card has beeninserted. The radio smart card reader driver 119, by sending thesesignals to the operating system 125, communicates to the operatingsystem 125 that a smart card has been inserted into a smart card reader,when, in fact, there may not be a smart card reader associated with thesmart card reader emulation device 117.

In block 313, the operating system 125 may attempt to send anauthentication request to the smart card. In another embodiment, theoperating system in the operating system 125 may wait for one or moreapplications in the application software 123 to send an authenticationrequest to the smart card. While the operating system 125 is waiting,the portable wireless device 101 may move out of range of the smart cardreader emulation device radio transceiver 121, in a connection endevent. In a connection end event, indicated in block 315, the smart cardreader emulation device radio transceiver 121 signals to the radio smartcard reader driver 119 that a portable wireless device 101 or otherdevice that was once connected to the smart card reader emulation deviceradio transceiver 121, is no longer found. The radio smart card readerdriver 119 receives the signals from the smart card reader emulationdevice radio transceiver 121, and sends signals to the operating system125 and/or the application software 123 that a smart card has beenremoved from the smart card reader.

In block 317, the operating system 125 and/or the application software123 sends one or more commands to the radio smart card reader driver 119requesting access to the smart card. The request may be, for example andwithout limitation, a request to access data located on the smart card,or one or more authentication requests based on information associatedwith the smart card.

The radio smart card reader driver 119 receives the commands from theapplication 123 and/or the operating system 125, and sends the commandsto the portable wireless device application 109 via the smart cardreader emulation device radio transceiver 121, as shown in block 319.The smart card reader emulation device radio transceiver 121 receivesthe command, and transmits the commands to the portable wireless deviceradio transceiver 103. The transmission may occur via one or morecommunication protocols known by both the smart card reader emulationdevice radio transceiver 121 and the portable wireless device radiotransceiver 103. In an embodiment, the commands are encrypted by thesmart card reader emulation device radio transceiver 121. In anembodiment, the commands are compressed by the smart card readeremulation device radio transceiver 121 before transmission to theportable wireless device radio transceiver 103.

The smart card reader emulation device radio transceiver 121 receivesone or more response signals from the portable wireless device radiotransceiver 103, as shown in block 321. In an embodiment, the smart cardreader emulation device radio transceiver 121 decrypts the signalsreceived from the portable wireless device radio transceiver 103. In anembodiment, the smart card reader emulation device radio transceiver 121decompresses the signals received from the portable wireless deviceradio transceiver 103. The smart card reader emulation device radiotransceiver 121 sends the response to the radio smart card reader driver119.

In block 323, the radio smart card reader driver 119 transmits theresponse to the requesting software. In an embodiment, the radio smartcard reader driver 119 transmits the response to the operating system125. In an embodiment, the radio smart card reader driver 119 transmitsthe response to one or more applications operating in the applicationsoftware 123. The radio smart card reader driver 119 formats theresponse so that it appears to the application software 123 and/or theoperating system 125 to be a response from a smart card reader and smartcard.

In block 325, the operating system 125 or the application software 123performs one or more actions based on the response received from theradio smart card reader driver 119. In an embodiment, the operatingsystem 125 receives the response from the radio smart card reader driver119, and, based on the response, authenticates the user, or does notauthenticate the user. In an embodiment, an application executing in theapplication software 123 receives the response from the radio smart cardreader driver 119, and executes one or more commands based on theresponse.

In block 327, the radio smart card reader driver 119 continues tomonitor the application software 123 and the operating system 125 forrequests for access to the smart card, and continues to monitor thesmart card reader emulation device radio transceiver 121 for signalsreceived from the portable wireless device 101. The method may return toblock 313, and continue to monitor until a connection end event isreceived or another request is received from the application software123 or the operating system 125.

FIG. 4 is a flowchart illustrating remote authentication according to aportable wireless device 101 according to an embodiment of the presentdisclosure. The method may begin at block 401. The method presumes thata portable wireless device 101 is operating, that the portable wirelessdevice application 109 is operating on the portable wireless device 101,and that the portable wireless device radio transceiver 103 is operable.

In block 403, the portable wireless device radio transceiver 103receives a radio connection request from the smart card reader emulationdevice radio transceiver 121. In an embodiment, the radio connectionrequest includes a connection request identified by the Bluetoothprotocol. The connection request may be encrypted, or may includeadditional information regarding the smart card reader emulation deviceradio transceiver 121, the smart card reader emulation device 117,and/or the radio smart card reader driver 119.

In block 405, if the portable wireless device 101 identifies the smartcard reader emulation device radio transceiver 121, the smart cardreader emulation device 117, and/or the radio smart card reader driver119, the portable wireless device 101 may create a connection with thesmart card reader emulation device 117. In an embodiment, the connectionmay be made via Bluetooth protocol. In an embodiment, other radiocommunication protocols may be used. In an embodiment, the radiocommunication protocols may require one or more codes or additionalinformation to be input by the user via the portable wireless device101, by the user and/or the operating system 125 on the smart cardreader emulation device 117, or a combination of the two.

In block 407, data from the data store 115 associated with the portablewireless device application 109 is loaded into memory associated withthe portable wireless device application 109. In an embodiment, thememory may be associated with the portable wireless device 101. In anembodiment, the memory may not be associated with a portable wirelessdevice 101, but may be separate from the portable wireless device 101memory. The data from the data store 115 may include, but is not limitedto, one or more public and/or private keys that uniquely identify auser, one or more pieces of biometric data that uniquely identify auser, one or more certificates, or other data associated with the user,or that may be used to uniquely identify a user. In an embodiment, thedata from the data store 115 may be encrypted in the data store 115, andmay be decrypted prior to storage in the memory. In an embodiment, PINs,passwords, and/or lockout counters may also be stored in the data store115.

In block 409, the portable wireless device application 109 waits forcommands from the smart card reader emulation device radio transceiver121. The commands may be, but are not limited to, authenticationrequests from the application software 123 and/or the operating system125, that are intercepted by the radio smart card reader driver 119.While the portable wireless device applications 109 waits for commandsfrom the smart card reader emulation device radio transceiver 121, theportable wireless device 101 may move out of range of the smart cardreader emulation device radio transceiver 121. In the connection endevent, shown in block 411, the radio transceiver from the portablewireless device 101 cannot communicate with the smart card readeremulation device radio transceiver 121, and the portable wireless deviceapplication 109 stores updated or new state information from the smartcard application to the data store 115. The updated or new stateinformation may include, but is not limited to, information modifiedsince the connection was created in block 405, such as new or updatedkey pairs, PIN or password lockout counter updates, updatedcertificates, or other changed or new information that has beengenerated. The state information may be encrypted before storage in thedata store 115. If a connection end event is indicated, the method mayreturn to block 403, where the portable wireless device 101 may wait forradio connection requests from the smart card reader emulation device117, or from another smart card reader emulation device 117.

In block 413, the portable wireless device application 109 receives oneor more commands from the portable wireless device radio transceiver103. The one or more commands may be, but are not limited to,authentication requests from the application software 123 and/or theoperating system 125 via the radio smart card reader driver 119. Theportable wireless device application 109 receives the command orcommands via the portable wireless device radio transceiver 103. Theportable wireless device application 109 receives the one or morecommands, and transmits the one or more commands to the smart cardapplet 113.

In block 415, the smart card emulator 111 translates the commandsreceived from the portable wireless device radio transceiver 103 intoone or more commands that the smart card applet 113 may receive andprocess. The smart card emulator 111 transmits the one or more commandsto the smart card applet 113.

In block 417, the smart card applet 113 receives the one or morecommands from the smart card emulator 111, and accesses the data store115 or other memory associated with the portable wireless deviceapplication 109, to retrieve information in order to formulate aresponse to the one or more commands. The smart card applet 113 may, forexample, retrieve one or more certificates from the data store 115and/or the memory associated with the portable wireless device 101 inresponse to the one or more commands. In an embodiment, the smart cardapplet 113 may retrieve biometric identification information from thedata store 115 and/or the memory associated with the portable wirelessdevice 101 in response to the one or more commands. In an embodiment,the smart card applet 113 may retrieve additional information from thedata store 115 and/or the memory associated with the portable wirelessdevice 101 in response to the one or more commands. In an embodiment,the smart card applet 113 may perform one or more transformations on thedata received from the data store 115 and/or the memory associated withthe portable wireless device 101. For example, and without limitation,the smart card applet 113 may retrieve a public key and/or a private keyfrom the data store 115 and/or memory associated with the portablewireless device 101, and may apply the key to the one or more commandsreceived from the smart card emulator 111. The smart card applet 113transmits the information retrieved to the smart card emulator 111. Inan embodiment, the smart card applet 113 may also compare a supplied PINor password with the correct value, may compare the user's suppliedfingerprint data with that stored, may store a supplied certificate orkey for later use, or may generate a new key pair in accordance with theparameters supplied.

In block 419, the smart card emulator 111 transmits the response fromthe smart card applet 113 to the portable wireless device radiotransceiver 103. The portable wireless device radio transceiver 103 maytransmit the response to the smart card reader emulation device radiotransceiver 121 via one or more radio communication protocols. In anembodiment, the response, or other information associated with theresponse, may be encrypted and or compressed before transmission to thesmart card reader emulation device radio transceiver 121. After thesmart card emulator 111 in the portable wireless device radiotransceiver 103 has transmitted the response to the smart card readeremulation device radio transceiver 121, the method may return to block409, where the portable wireless device 101 may wait for additionalcommands to be received from a requesting software via the smart cardreader emulation device radio transceiver 121.

FIG. 5 is a flowchart illustrating a method of proximity authenticationaccording to an embodiment of the present disclosure. The method maybegin at block 501. The method presumes that the smart card readeremulation device radio transceiver 121 is active and is able to connectwith the portable wireless device radio transceiver 103. The method alsopresumes that the portable wireless device radio transceiver 103 isactive and able to pair with the smart card reader emulation deviceradio transceiver 121.

In block 503, the portable wireless device 101 enters a range of thesmart card reader emulation device radio transceiver 121, so that thestrength of the portable wireless device radio transceiver 103 is at orabove a set level. The smart card reader emulation device radiotransceiver 121 measures the signal strength from the portable wirelessdevice 101. The level, in an embodiment, may be set by the user. Inanother embodiment, the level is set by the radio smart card readerdriver 119 and/or the smart card reader emulation device radiotransceiver 121. In an embodiment, the level may be set so that anycontact which enables the smart card reader emulation device radiotransceiver 121 to make and maintain a radio connection to the portablewireless device radio transceiver 103 may be sufficient. In anotherembodiment, the level may be set so that more substantial signalstrength is required to enable a connection, and so a connection may berefused by the smart card reader emulation device radio transceiver 121even though a sufficient radio connection may be made. For example, andwithout limitation, if the level is set so that the smart card readeremulation device radio transceiver 121 refuses connections unless thesignal strength indicates the portable wireless device radio transceiver103 is no more than 5 feet away, a radio connection may be refused ifthe signal strength indicates that the portable wireless device radiotransceiver 103 is 10 feet away from the smart card reader emulationdevice radio transceiver 121. The connection may be refused even if thesmart card reader emulation device radio transceiver 121 and theportable wireless device radio transceiver 103 can make a connection at10 feet or more. The level may be set by a user, or may be set accordingto a security policy and/or other commands from a policy server or othersystem.

In an embodiment, instead of the signal strength being selected and usedto set a level, the transmit power of the radio transceiver 121 or theradio transceiver 103 is changed, so that the level indicates the rangeat which a connection may be made. For example, the smart card readeremulation device 117 may transmit commands to the remote wireless device101 for the remote wireless device 101 to set its radio transceiver 103at a certain level, according to the user's request or one or moresecurity policies. The remote wireless device 101 may set the transmitpower of the radio transceiver 103 to the level specified by the smartcard reader emulation device 117, so that when the radio transceiver 103and the radio transceiver 121 are in range to create a connection, thetransceivers are also within range of the level set by the user or theone or more security policies.

In block 505, if the portable wireless device 101 is within range of thesmart card reader emulation device radio transceiver 121, and is alsowithin the limit, the smart card reader emulation device radiotransceiver 121 will form a radio connection with the radio transceiver103 associated with the portable wireless device 101.

In block 507 the operating system 125, the application software 123,and/or the radio smart card reader driver 119 may request anauthentication from the portable wireless device application 109. In anembodiment, the operating system 125, the application software 123,and/or the radio smart card reader driver 119 may request one or morecertificates from the portable wireless device application 109. In anembodiment, the smart card reader emulation device 117 may send one ormore challenge requests to the portable wireless device 101. Thechallenge requests may include, for example, data to encrypt with one ormore keys, for example by an asymmetric key pair, where one of the keysis resident on the smart card reader emulation device 117, and the othercomplimentary key is resident on the portable wireless device 101. In anembodiment, a username and/or password may be requested from theportable wireless device 101. In an embodiment, the portable wirelessdevice 101 may be challenged to sign a random value using one or morekeys available to the portable wireless device application 109.

In block 509, the portable wireless device radio transceiver 103receives the authentication request, and transmits the authenticationrequest to the portable wireless device application 109. The portablewireless device application 109 receives the authentication request, andtransmits the authentication request to the smart card emulator 111. Thesmart card emulator 111 receives the authentication request, andtransmits the authentication request to the smart card applet 113. Thesmart card emulator 111 may translate the authentication request so thatit is readable by the smart card applet 113. The smart card applet 113receives the authentication request from the smart card emulator 111,and accesses the data store 115 and/or the memory associated with theportable wireless device 101 to create a response to the authenticationrequest. The response may include, but is not limited to, public and/orprivate keys, certificates, or unique biometric information associatedwith the user. The smart card applet 113 transmits the response to thesmart card emulator 111. The smart card emulator 111 receives theresponse from the smart card applet 113, and transmits the response viathe portable wireless device radio transceiver 103 to the smart cardreader emulation device radio transceiver 121. The smart card readeremulation device radio transceiver 121 receives the response, andtransmits the response to the radio smart card reader driver 119. Theradio smart card reader driver 119 receives the response, and transmitsthe response to the application software 123 and/or the operating system125. The application software 123 and/or the operating system 125receives the response, and performs one or more actions based on theresponse. The actions may include, but are not limited to, authorizing auser to operate the smart card reader emulation device 117, or performone or more tasks with the authority of the user.

In block 511, the smart card reader emulation device radio transceiver121 continues to monitor the signal strength of the portable wirelessdevice radio transceiver 103. In block 513, if the signal strength fromthe portable wireless device radio transceiver 103 is at or above thelimit specified, the method returns to block 511 to continue to monitorthe signal strength. If the signal strength from the portable wirelessdevice radio transceiver 103 is below the limit specified, the methodproceeds to block 515, and the smart card reader emulation device 117de-authorizes the user from using the smart card reader emulation device117. The de-authorization may include, but is not limited to, loggingthe user off of the smart card reader emulation device 117, locking thesmart card reader emulation device 117 to prevent access, or otheractions by the operating system 125 and/or the application software 123to prevent the user from unauthorized access to the smart card readeremulation device 117. The user may also be deauthorized if cached PINand/or password values are erased from the portable wireless device 101and/or the smart card reader emulation device 117, so that they must bere-entered the next time an authentication request is received. If theportable wireless device 101, and the portable wireless device radiotransceiver 103, moved again to within the proximity limit, the methodmay begin again at block 505. In an embodiment, the smart card readeremulation device 117 does not de-authorize the user and/or remove thecertificate, so if the portable wireless device radio transceiver 103moves again to within the proximity limit, the smart card readeremulation device 117 may reauthorize the user to access the smart cardreader emulation device 117, and may continue at block 511.

Among other advantages, the present disclosure may allow the use ofportable wireless devices or other devices a user carries with one ormore processors and memory in place of one or more smart cards.Accordingly, the proposed techniques can improve user control of devicesby providing a more intuitive and user-friendly way to use a smart cardinfrastructure and/or other multi-factor authentication effectively.Additionally, the smart phone's keyboard, touch screen, and othersensors can be used as inputs to the smart card applet. Informationabout which resources are being authenticated to can be presented to theuser on the smart phone's screen, so that the user is aware of whatresources are being accessed while the smart phone is connected to thecomputer. The user could also be given a choice about whether or not toaccept such accesses. Also, information stored in the smart card appletcan be displayed to the user on the smart phone's screen. Otheradvantages will be recognized by those of ordinary skill in the art.

In another embodiment, a method of user authentication employing a veryshort range wireless communication link such as a near fieldcommunication link and a short range wireless communication link such asa Bluetooth type link or other suitable link is employed. Is thisembodiment, a portable wireless device 101 (see FIG. 2) and anotherdevice such as a desktop, laptop computer, or smart card readeremulation device 117 may be employed. In this embodiment, the firstradio transceiver 207 may be a very short range wireless transceiver andthe first radio transceiver 203 may also be a very short range wirelesstransceiver. The two transceivers perform a near field communicationlink operation as known in the art when, for example, the portablewireless device 101 is touched distance to the first radio transceiver203. The second radio transceiver 209 may be a short range wirelesstransceiver that may have a wireless range of 30 meters or less.Similarly, second radio transceiver 205 may also be a short rangewireless transceiver of the same type as second radio transceiver 209.As such, both devices each have a very short range wireless transceiverand a short range wireless transceiver. As previously described, each ofthe devices also includes logic such as discrete logic, suitablyprogrammed processors, state machines, or any other suitable logic tocarry out the operations described herein. In this example, a near fieldcommunication tap is used to automatically initiate user authentication.In this example, user logon authentication will be described. Also inthis example, mutual authentication based user authentication will beemployed meaning that at least two credentials are required to provideuser logon to the device 117 including, for example, a logon to aparticular executing application, function, subsystem or any otherresource. This may include access to websites or any other suitableoperation requiring a user authentication. In this example, both adevice level authentication occurs as well as a user ID identificationsuch as the use of a personal identification number or any othersuitable information.

Referring also to FIGS. 7 and 8, a method for user authentication willbe described using the system of FIG. 2 for example. As shown in FIG. 8,the method may begin as shown in block 800. The method may replaceblocks 303, 305, 307 and 309 of FIG. 3. As shown in block 802, themethod includes establishing a very short range wireless communicationlink between the two devices 101 and 117. This is also shown bycommunication 700 (FIG. 7) between the first and second device wherein,for example, a near field communication link is setup, as known in theart that employs cryptographic key exchanges and respective short rangeMAC addresses to provide identifiers to identify the devices 101 and 117to each other. As shown by communication 702, the logic in the twodevices use the very short range link to exchange link setup informationfor a short range wireless link that will be setup using the short rangewireless transceivers 209 and 205. As such, the very short rangewireless link is used to exchange link setup information for the shortrange wireless link. The logic in the devices establishes a short rangewireless link using the short range wireless transceivers 205 and 209 toprovide an encrypted channel based on the exchanged link setupinformation that was communicated using the very short range wirelesslink (shown as 702).

As shown in block 804, the method includes providing user authenticationfor the device 117 using the short range wireless communication linkbetween the two devices based on establishing the very short rangewireless communication link. This may be accomplished, for example, byusing the short range encrypted channel so that, for example, anoperating system or other operation executing on the logic requests userauthentication information such as a user certificate from the portablewireless device 101. This is shown as communication 704. In response,the short range encrypted channel is used to send a reply with the usercertificate as shown in communication 706. The device 117 sends achallenge to the device 101 which, for example, presents a userinterface to enter a personal identification number (PIN) in response tothe challenge to unlock a cryptographic key for use in the reply to thechallenge. This is shown in communication 708. As shown in communication710, if the PIN entry is successful on the portable wireless device, forexample, a reply to the challenge is then sent to the device 117. Thedevice 117 then verifies the challenge using the certificate that wassent in the reply and grants access of user authentication issuccessful. As such, the device 117 authenticates the user based oncommunicated user authentication information (in this example, acertificate and a PIN) that was sent using the short range wireless linkin response to using the very short range wireless link.

In other words, an NFC tap initiates the process to setup another anddifferent link (the short range link) through which user authenticationinformation is sent to the other device so that the other device canauthenticate the user. In this example, a user logon challenge was sentto the first device, namely a smart phone, and the second devicereceived a user logon reply from the first device based on the userlogon challenge using the short range wireless link. This occurred afterthe very short range link was setup and used to exchange linkconfiguration information to setup the secondary or short range wirelesslink. As such, after a Bluetooth encrypted channel has been setup, theuser authentication is performed based on user credentials. There is noneed for users to attempt to select which device to use in a room ofmultiple devices to which to authenticate, since a very short rangecommunication link is setup through physical proximity of the very shortrange link. Each time the devices are tapped to each other, anotherauthentication can occur. The encrypted Bluetooth channel is used tocommunicate the user authentication information.

Referring to FIG. 9, a method for providing user authentication isshown. As shown in block 900, the method begins and as shown in block902, the method includes performing a wireless link setup operationbetween a first device and a second device wherein the first wirelesslink uses a very short range wireless link such as a near fieldcommunication link between the first and second apparatus. As shown inblock 904, the method includes exchanging link setup information such asdevice authentication information which may be cryptographic keys anddevice IDs using the very short range wireless link that is used tosetup the short range wireless communication link and operation. Asshown in block 906, the method includes establishing the short rangewireless link which is setup as an encrypted channel based on theexchanged link setup information that was communicated using the veryshort range wireless link. As shown in block 908, the method includescommunicating user authentication information between the first andsecond apparatus using the established short range wireless link that isoperating as an encrypted channel. As shown in block 910, the methodincludes authenticating the user based on the communicated userauthentication information communicated over the short range wirelesslink and in response to using the very short range wireless link. Inother words, the short range link is not setup unless the very shortrange wireless link is established and used to communicate link setupinformation for the short range wireless link. The method may thencontinue as shown in block 912 for another user tap and authenticateoperation if desired.

As also shown in FIG. 3, the operation of FIG. 8 may be carried out, forexample, prior to block 317. However, it will be recognized that theprocess may be carried out at any suitable point and need not be carriedout in connection with the operation of FIG. 3 if desired.

The above detailed description of the invention and the examplesdescribed therein have been presented for the purposes of illustrationand description only and not by limitation. It is therefore contemplatedthat the present invention cover any and all modifications, variationsor equivalents that fall within the spirit and scope of the basicunderlying principles disclosed above and claimed herein.

What is claimed is:
 1. A method, carried out by a first apparatus and asecond apparatus, for user authentication comprising: establishing avery short range wireless communication link between the first apparatusand the second apparatus; and authenticating a user of the firstapparatus by the second apparatus directly using a different and shortrange peer to peer wireless communication link between the firstapparatus and the second apparatus in response to establishing the veryshort range wireless communication link.
 2. The method of claim 1wherein authenticating a user of the first apparatus by the secondapparatus using a different and short range peer to peer wirelesscommunication link comprises communicating user logon authenticationinformation between the first and second apparatus using the establishedshort range peer to peer wireless link and wherein link keys areexchanged over the very short range peer to peer wireless communicationlink for use with the short range wireless link.
 3. The method of claim1 wherein the very short range wireless communication link is a nearfield communication link and wherein the short range communication linkhas less than a 30 meter range and wherein the method comprises passinguser authentication credentials from the first apparatus to the secondapparatus.
 4. The method of claim 1 wherein authenticating the user ofthe first apparatus by the second apparatus using a different and shortrange peer to peer wireless communication link comprises sending,without user intervention, by the second device a request to the firstdevice for user authentication information and sending by the firstdevice, a reply without user intervention, that includes a usercertificate.
 5. The method of claim 5 wherein establishing the veryshort range wireless communication link between the first apparatus andthe second apparatus comprises a near field communication tap operationto initiate setup of the different and short range peer to peer wirelesscommunication link.
 6. The method of claim 1 comprising whereinauthenticating the user of the first apparatus by the second apparatususing a different and short range peer to peer wireless communicationlink comprises sending, by the second apparatus, a user logon challengeto the first apparatus in direct response to the very short rangewireless link being established and receiving a user logon reply fromthe first apparatus based on the user logon challenge using the shortrange peer to peer wireless link.
 7. A system for providing userauthentication comprising: a first apparatus comprising: a first veryshort range wireless transceiver; a first short range peer to peerwireless transceiver; and first logic operatively coupled to both thefirst very short range transceiver and the first short range peer topeer wireless transceiver; a second apparatus comprising: a second veryshort range wireless transceiver; a second short range peer to peerwireless transceiver; and second logic operatively coupled to both thesecond very short range transceiver and the second short range peer topeer wireless transceiver; wherein the first and second logic areoperative to: establish a very short range wireless communication linkbetween the first apparatus and the second apparatus; and authenticate auser of the first apparatus by the second apparatus directly using adifferent and short range peer to peer wireless communication linkbetween the first apparatus and the second apparatus in response toestablishing the very short range wireless communication link.
 8. Thesystem of claim 7 wherein authenticating a user of the first apparatusby the second apparatus using a different and short range peer to peerwireless communication link comprises communicating user logonauthentication information between the first and second apparatus usingthe established short range peer to peer wireless link and wherein linkkeys are exchanged over the very short range peer to peer wirelesscommunication link for use with the short range wireless link.
 9. Thesystem of claim 7 wherein the very short range wireless communicationlink is a near field communication link and wherein the short rangecommunication link has less than a 30 meter range and wherein the methodcomprises passing user authentication credentials from the firstapparatus to the second apparatus.
 10. The system of claim 7 whereinauthenticating the user of the first apparatus by the second apparatususing a different and short range peer to peer wireless communicationlink comprises sending, without user intervention, by the second devicea request to the first device for user authentication information andsending by the first device, a reply without user intervention, thatincludes a user certificate.
 11. The system of claim 10 whereinestablishing the very short range wireless communication link betweenthe first apparatus and the second apparatus comprises a near fieldcommunication tap operation to initiate setup of the different and shortrange peer to peer wireless communication link.
 12. The system of claim7 comprising wherein authenticating the user of the first apparatus bythe second apparatus using a different and short range peer to peerwireless communication link comprises sending, by the second apparatus,a user logon challenge to the first apparatus in direct response to thevery short range wireless link being established and receiving a userlogon reply from the first apparatus based on the user logon challengeusing the short range peer to peer wireless link.